Gophish Social Engineering Framework Cheat Sheet
"Clase de la hoja" idbutton id="gophish-copy-btn" class="copy-btn" onclick="copyAllCommands()" Copiar todos los comandos id="gophish-pdf-btn" class="pdf-btn" onclick="generatePDF()" Generar PDF seleccionado/button ■/div titulada
Sinopsis
Gophish es un marco de phishing de código abierto diseñado para empresas y testadores de penetración para realizar simulaciones de phishing en el mundo real. Proporciona una interfaz web para crear y gestionar campañas de phishing, rastrear resultados y generar informes.
NOVEDAD Advertencia: Esta herramienta está destinada únicamente a la realización de pruebas de seguridad autorizadas y a la formación de conciencia. Asegúrese de tener la autorización adecuada antes de realizar cualquier campaña de phishing.
Instalación
Binarios precompilados
# Download latest release for Linux
wget https://github.com/gophish/gophish/releases/latest/download/gophish-v0.12.1-linux-64bit.zip
unzip gophish-v0.12.1-linux-64bit.zip
chmod +x gophish
# Download for Windows
# Download gophish-v0.12.1-windows-64bit.zip from GitHub releases
# Download for macOS
wget https://github.com/gophish/gophish/releases/latest/download/gophish-v0.12.1-macos-64bit.zip
unzip gophish-v0.12.1-macos-64bit.zip
chmod +x gophish
Build from Source
# Install Go (version 1.19+)
git clone https://github.com/gophish/gophish.git
cd gophish
go build
Docker Instalación
# Pull official Docker image
docker pull gophish/gophish
# Run Gophish in Docker
docker run -it -p 3333:3333 -p 8080:8080 gophish/gophish
# Run with persistent data
docker run -it -p 3333:3333 -p 8080:8080 -v /opt/gophish:/opt/gophish gophish/gophish
Uso básico
Empezando Gophish
# Start Gophish server
./gophish
# Start with custom configuration
./gophish -config config.json
# Start with custom admin interface
./gophish -admin-server 0.0.0.0:3333
# Start with custom phish server
./gophish -phish-server 0.0.0.0:8080
Configuración inicial
# Default admin credentials (change immediately)
# Username: admin
# Password: gophish
# Access admin interface
# https://localhost:3333
# Access phishing server
# http://localhost:8080
Configuración
Configuración básica (config.json)
\\\\{
"admin_server": \\\\{
"listen_url": "0.0.0.0:3333",
"use_tls": true,
"cert_path": "gophish_admin.crt",
"key_path": "gophish_admin.key"
\\\\},
"phish_server": \\\\{
"listen_url": "0.0.0.0:8080",
"use_tls": false,
"cert_path": "example.crt",
"key_path": "example.key"
\\\\},
"db_name": "sqlite3",
"db_path": "gophish.db",
"migrations_prefix": "db/db_",
"contact_address": "",
"logging": \\\\{
"filename": "",
"level": ""
\\\\}
\\\\}
SSL/TLS Configuración
# Generate self-signed certificate for admin interface
openssl req -newkey rsa:4096 -nodes -keyout gophish_admin.key -x509 -days 365 -out gophish_admin.crt
# Generate certificate for phishing server
openssl req -newkey rsa:4096 -nodes -keyout phish.key -x509 -days 365 -out phish.crt
# Use Let's Encrypt certificate
certbot certonly --standalone -d yourdomain.com
Configuración de bases de datos
\\\\{
"db_name": "mysql",
"db_path": "user:password@tcp(localhost:3306)/gophish?charset=utf8&parseTime=True&loc=Local",
"migrations_prefix": "db/db_"
\\\\}
Campaign Management
Crear plantillas de correo electrónico
<!DOCTYPE html>
<html>
<head>
<title>Security Alert</title>
</head>
<body>
<h2>Security Alert - Action Required</h2>
<p>Dear \\\\{\\\\{.FirstName\\\\}\\\\} \\\\{\\\\{.LastName\\\\}\\\\},</p>
<p>We have detected suspicious activity on your account.</p>
<p>Please click <a href="\\\\{\\\\{.URL\\\\}\\\\}">here</a> to verify your account.</p>
<p>Best regards,<br>IT Security Team</p>
\\\\{\\\\{.Tracker\\\\}\\\\}
</body>
</html>
Plantillas de página de aterrizaje
<!DOCTYPE html>
<html>
<head>
<title>Account Verification</title>
<style>
body \\\\{ font-family: Arial, sans-serif; margin: 50px; \\\\}
.form-container \\\\{ max-width: 400px; margin: auto; \\\\}
input \\\\{ width: 100%; padding: 10px; margin: 10px 0; \\\\}
button \\\\{ background: #007cba; color: white; padding: 10px 20px; border: none; \\\\}
</style>
</head>
<body>
<div class="form-container">
<h2>Account Verification</h2>
<form method="post" action="">
<input type="text" name="username" placeholder="Username" required>
<input type="password" name="password" placeholder="Password" required>
<button type="submit">Verify Account</button>
</form>
</div>
\\\\{\\\\{.Tracker\\\\}\\\\}
</body>
</html>
Envío de perfiles (SMTP)
\\\\{
"name": "Gmail SMTP",
"host": "smtp.gmail.com:587",
"username": "your-email@gmail.com",
"password": "app-password",
"from_address": "security@company.com",
"ignore_cert_errors": false
\\\\}
Grupos de usuarios
First Name,Last Name,Email,Position
John,Doe,john.doe@company.com,Manager
Jane,Smith,jane.smith@company.com,Developer
Bob,Johnson,bob.johnson@company.com,Analyst
Características avanzadas
Plantilla Variables
\\\\{\\\\{.FirstName\\\\}\\\\}
\\\\{\\\\{.LastName\\\\}\\\\}
\\\\{\\\\{.Email\\\\}\\\\}
\\\\{\\\\{.Position\\\\}\\\\}
\\\\{\\\\{.URL\\\\}\\\\}
\\\\{\\\\{.Tracker\\\\}\\\\}
\\\\{\\\\{.From\\\\}\\\\}
\\\\{\\\\{.RId\\\\}\\\\}
Aduaneros
\\\\{
"headers": [
\\\\{
"key": "X-Mailer",
"value": "Microsoft Outlook 16.0"
\\\\},
\\\\{
"key": "X-Priority",
"value": "1"
\\\\}
]
\\\\}
Integración Webhook
# Configure webhook for real-time notifications
curl -X POST http://localhost:3333/api/webhooks \
-H "Content-Type: application/json" \
-H "Authorization: Bearer YOUR_API_KEY" \
-d '\\\\{
"name": "Slack Webhook",
"url": "https://hooks.slack.com/services/YOUR/SLACK/WEBHOOK",
"secret": "webhook-secret",
"is_active": true
\\\\}'
API Usage
Autenticación
# Get API key from admin interface
# Settings > API Keys > Generate New Key
# Use API key in requests
curl -H "Authorization: Bearer YOUR_API_KEY" http://localhost:3333/api/campaigns/
Gestión de campañas a través de API
# List campaigns
curl -H "Authorization: Bearer YOUR_API_KEY" \
http://localhost:3333/api/campaigns/
# Get campaign details
curl -H "Authorization: Bearer YOUR_API_KEY" \
http://localhost:3333/api/campaigns/1
# Create campaign
curl -X POST http://localhost:3333/api/campaigns/ \
-H "Content-Type: application/json" \
-H "Authorization: Bearer YOUR_API_KEY" \
-d '\\\\{
"name": "Test Campaign",
"template": \\\\{"name": "Test Template"\\\\},
"page": \\\\{"name": "Test Landing Page"\\\\},
"smtp": \\\\{"name": "Test SMTP"\\\\},
"groups": [\\\\{"name": "Test Group"\\\\}],
"launch_date": "2024-01-01T09:00:00Z"
\\\\}'
Resultados mediante API
# Get campaign results
curl -H "Authorization: Bearer YOUR_API_KEY" \
http://localhost:3333/api/campaigns/1/results
# Get campaign summary
curl -H "Authorization: Bearer YOUR_API_KEY" \
http://localhost:3333/api/campaigns/1/summary
Técnicas de evacuación
Evasión por correo electrónico
From: IT Security ``<security@company.com>``
Subject: [URGENT] Account Security Alert - Action Required
<a href="https://bit.ly/3xyz123">Verify Account</a>
<img src="\\\\{\\\\{.Tracker\\\\}\\\\}" width="1" height="1" style="display:none;">
Domain Spoofing
# Use similar domains
# Original: company.com
# Spoofed: comp4ny.com, company-security.com
# Use subdomains
# security.legitimate-domain.com
# Use URL shorteners
# bit.ly, tinyurl.com, goo.gl
Contenido Obfuscation
<a href="https://evil.com">Click Here</a>
<span style="display:none;">PHISHING</span>Legitimate Content
Legitimate Content
Informes y análisis
Metrices de campaña
# Key metrics tracked:
# - Emails sent
# - Emails opened
# - Links clicked
# - Data submitted
# - Email reported
# Timeline tracking:
# - When emails were opened
# - When links were clicked
# - Geographic data
# - User agent information
Resultados de la exportación
# Export campaign results to CSV
curl -H "Authorization: Bearer YOUR_API_KEY" \
"http://localhost:3333/api/campaigns/1/results?format=csv" \
-o campaign_results.csv
# Export campaign summary
curl -H "Authorization: Bearer YOUR_API_KEY" \
"http://localhost:3333/api/campaigns/1/summary?format=json" \
-o campaign_summary.json
Informes personalizados
# Python script for custom reporting
import requests
import json
api_key = "YOUR_API_KEY"
base_url = "http://localhost:3333/api"
headers = \\\\{"Authorization": f"Bearer \\\\{api_key\\\\}"\\\\}
# Get all campaigns
campaigns = requests.get(f"\\\\{base_url\\\\}/campaigns/", headers=headers).json()
for campaign in campaigns:
results = requests.get(f"\\\\{base_url\\\\}/campaigns/\\\\{campaign['id']\\\\}/results", headers=headers).json()
# Calculate metrics
total_sent = len(results)
opened = len([r for r in results if r['status'] == 'Email Opened'])
clicked = len([r for r in results if r['status'] == 'Clicked Link'])
submitted = len([r for r in results if r['status'] == 'Submitted Data'])
print(f"Campaign: \\\\{campaign['name']\\\\}")
print(f"Sent: \\\\{total_sent\\\\}, Opened: \\\\{opened\\\\}, Clicked: \\\\{clicked\\\\}, Submitted: \\\\{submitted\\\\}")
Consideraciones de seguridad
Seguridad operacional
# Use VPS or cloud infrastructure
# Implement proper access controls
# Use encrypted communications
# Regular security updates
# Monitor for detection
Consideraciones jurídicas
# Obtain written authorization
# Define scope and limitations
# Implement opt-out mechanisms
# Protect collected data
# Follow data protection laws
Directrices éticas
# Educational purpose only
# Minimize psychological impact
# Provide immediate feedback
# Offer security training
# Respect privacy rights
Solución de problemas
Problemas de envío por correo electrónico
# Check SMTP configuration
# Verify DNS records (SPF, DKIM, DMARC)
# Test with different email providers
# Monitor reputation scores
# Use authenticated SMTP
Cuestiones SSL/TLS
# Verify certificate validity
openssl x509 -in certificate.crt -text -noout
# Test SSL configuration
openssl s_client -connect domain.com:443
# Check certificate chain
curl -vI https://domain.com
Cuestiones de base de datos
# Backup database
cp gophish.db gophish.db.backup
# Check database integrity
sqlite3 gophish.db "PRAGMA integrity_check;"
# Repair database if needed
sqlite3 gophish.db ".recover"|sqlite3 gophish_recovered.db
Cuestiones de ejecución
# Monitor resource usage
top -p $(pgrep gophish)
# Optimize database
sqlite3 gophish.db "VACUUM;"
# Increase system limits
ulimit -n 65536
Ejemplos de integración
Slack Integration
# Webhook for Slack notifications
import requests
import json
def send_slack_notification(webhook_url, message):
payload = \\\\{
"text": message,
"username": "Gophish",
"icon_emoji": ":fishing_pole_and_fish:"
\\\\}
response = requests.post(webhook_url, json=payload)
return response.status_code == 200
SIEM Integración
# Send events to SIEM
import syslog
def log_phishing_event(event_type, user_email, campaign_name):
message = f"Phishing Event: \\\\{event_type\\\\} - User: \\\\{user_email\\\\} - Campaign: \\\\{campaign_name\\\\}"
syslog.syslog(syslog.LOG_WARNING, message)
Active Directory Integration
# Check user against Active Directory
import ldap3
def check_user_in_ad(username, ad_server, ad_user, ad_password):
server = ldap3.Server(ad_server)
conn = ldap3.Connection(server, ad_user, ad_password)
if conn.bind():
search_filter = f"(sAMAccountName=\\\\{username\\\\})"
conn.search('dc=company,dc=com', search_filter)
return len(conn.entries) > 0
return False
Recursos
- Sitio Oficial de Gophish
- Repositorio Gophish GitHub
- Documentación de Google
- Guía de usuario de Google
- Phishing Awareness Training
-...
*Esta hoja de trampa proporciona una referencia completa para usar Gophish. Siempre asegúrate de tener una autorización adecuada y seguir las pautas éticas al realizar simulaciones de phishing. *